Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
RSS Feed
MODERATE
GHSA-8wpr-639p-ccrj
CVE-2025-69211
Description:
A NestJS application is vulnerable if it meets all of the following criteria:
- Platform: Uses
@nestjs/platform-fastify. - Security Mechanism: Relies on
NestMiddleware(viaMiddlewareConsumer) for security checks (authentication, authorization, etc.), or throughapp.use() - Routing: Applies middleware to specific routes using string paths or controllers (e.g.,
.forRoutes('admin')).
Example Vulnerable Config:
// app.module.ts
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(AuthMiddleware) // Security check
.forRoutes('admin'); // Vulnerable: Path-based restriction
}
}
Attack Vector:
- Target Route:
/admin - Middleware Path:
admin - Attack Request:
GET /%61dmin - Result: Middleware is skipped (no match on
%61dmin), but controller for/adminis executed.
Consequences:
- Authentication Bypass: Unauthenticated users can access protected routes.
- Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
- Input Validation Bypass: Middleware performing sanitization or validation can be skipped.
Patches
Patched in @nestjs/platform-fastify@11.1.11
Resources
Credit goes to Hacktron AI for reporting this issue.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| npm |
@nestjs/platform-fastify
|
< 11.1.10 |
11.1.11
|
Actions
Advisory Details
| Published: | December 30, 2025 8 days ago |
| Updated: | January 05, 2026 2 days ago |
| CVSS Score: | 6.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
| EPSS: | 0.17% 38th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS04d3ByLTYzOXAtY2Nyas4ABQZC |